All about Internet Relay Chat

DAL.net adds – and is probably the first network to do this – a “text CAPTCHA” to its nick-registration process.

DAL.net Network Logo

Their news announcement says that they want to ensure that a nickname and a channel should always be able to be registered first by a human and not a bot.

They do that in response to a trend they noticed where they reportedly have “seen increases in bots getting nicks and channels, holding them, and never releasing them” and continue to say that it’s “not fair to the average person that a botnet gets a nickname before a human does”.

According to the announcement the questions are simple and will be changed weekly – an article in their knowledgebase provides an example of a question that might get used in the registration process:

For example, if the question is “Mark’s name is?”, you would answer:
/NickServ REGISTER <password> <email> mark

The knowledgebase article states that they – for obvious reasons – won’t provide a list with all possible questions and answers but if you should have further questions you’re welcome to /join #DALnetHelp and ask them there.

Skipsays:

AustNet has also done something similar, but with more of a traditional captcha than dalnet – i.e when attempting to register with NickOP a random code (combination of letters and numbers) is generated and then PRIVMSG’d to the client, the client then /msg’s the code back to NickOP to complete the registration.

This was done to stop +r being given out to floodbots and was seen as a better alternative to email or web based registrations.

It does have a few issues with some clients (eg mibbit squashes the ascii together so its illegible) however clients can also visit the services dept in #asd and have the code supplied to them.

I fail to see any real security in text captcha in any form. for it to work on the client side there’d have to be a syntax commonality and that’s all i need to write a script to bypass it. text based reg tokens, even random fed to the user in a predictable place in the text can also be captured by a script and returned. even by changing DAL’s question weekly, I can still wreak havoc for that week and recode the script for the following weeks until I get bored.

I maintain that email registration and limiting the number of accounts per email is the better way. Registration can then be controlled by blacklisting free email providers such as hotmail etc .. and some popular services packages have built in abilities or modules that allow staff to blacklist providers as well as the ability to ban or drop nicks based on email address. With email registration you can use a REAL captcha and have the user either click the link or enter the code via IRC. I find it hard to believe that anyone that has internet access doesn’t have an ISP based email address. While I’m sure it’s possible, most rather use free accounts to remain anonymous. To them I say, since you don’t wish to share a way to contact your provider in the event you do something malicious on my system, then my services are not available to you. You don’t have the right to demand services to be rendered and if you want to be that shady, then you can move along because I’m not going to sacrifice the security of my loyal users (whom don’t mind that I have a valid email address for them) just so you can register from hotmail. If you are afraid that the network at hand is farming email addresses, then pick a different network.

Not all countries and service providers give a free e-mail account with their connections. I never got any kind of e-mail account from my provider, which meant I had to turn to a free host like gmail. This is the case with many users all over the net.

Less hassle? Maybe. But you’ll end up losing a lot of users that for one or another reason do not want to use or even have an e-mail address given to them by their provider. So the only outcome from forcing this on users is that you force them right off your network (and maybe even IRC).

I disagree trix, networks have been using and forcing email registration for 15+ years now, even the “big 4″ do it. Such networks go from 200 users to 140,000+ users with a million plus registered nicks. Apparently there are many who really don’t mind. DALnet being one such network.

No matter what you do you will “piss some people off”, that’s unavoidable. You may be pissed at UnderNet for their registration process, but you must admit that even that is rather trivial compared to what can happen en masse without any countermeasures at all.

My overall stance is that as a user you shouldn’t get so uptight because you have to just through a few hoops to register your nick. If you can’t spend a little time securing an account, why should the network spend even more time catering to you? I’ve always disliked having to go the extra mile meeting people no where the middle because they are too lazy or uninterested in doing their share of the work.

Back on track though, including a REAL captcha in an email is still far more secure than a text based captcha that can still be parsed by scripts. Even if the captcha is in the form of a question and changes weekly.

I agree on using mail based authentication. What I don’t agree about is forcing the use of ISP only accounts.

Many online services use e-mail authentication and it’s pretty secure from bots in it’s design. I’m yet to meet a bot that can act both as a spamming agent and as an e-mail host/client.

IRC based security systems can be bypassed – questions list can be compiled and patterns of how the question are set can be recognized. It’s a human fallacy that we follow patterns and this will probably be the case with the Capcha design.

Yesterday I saw an interesting idea. ASCII art that act as an image when I was trying to connect to a big server. Downside is that it won’t work on all clients especially not mIRC without a fixed-width font for the status windows…

So it’s down to the good old e-mail authentication. It works – why mess with it?